Rewrite CSR creation into jq to be more robust

charts/imagepullsecret-injector/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.20
+version: 0.0.21
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/imagepullsecret-injector/scripts/create-signed-cert.sh

@@ -83,23 +83,27 @@ echo "Deleting old CertificateSigningRequests"
 kubectl delete csr ${csrName} 2>/dev/null || true
 
 echo "Creating new CertificateSigningRequests"
-# create  server cert/key CSR and  send to k8s API
+# create server cert/key CSR and  send to k8s API
-cat <<EOF | kubectl create -f -
+jq -n --arg request "$(< "${tmpdir}"/server.csr base64 -w0)" \
-apiVersion: certificates.k8s.io/v1
+  --arg namespace "$namespace" \
-kind: CertificateSigningRequest
+  --arg csrName "$csrName" '{
-metadata:
+    apiVersion: "certificates.k8s.io/v1beta1",
-  name: ${csrName}
+    kind: "CertificateSigningRequest",
-  namespace: ${namespace}
+    metadata: {
-spec:
+      name: $csrName,
-  signerName: kubernetes.io/kubelet-serving
+      namespace: $namespace
-  groups:
+    },
-  - system:authenticated
+    spec: {
-  request: $(< "${tmpdir}"/server.csr base64 | tr -d '\n')
+      signerName: "kubernetes.io/kubelet-serving",
-  usages:
+      groups: ["system:authenticated"],
-  - digital signature
+      request: $request,
-  - key encipherment
+      usages: [
-  - server auth
+        "digital signature",
-EOF
+        "key encipherment",
+        "server auth"
+      ]
+    }
+  }' | kubectl create -f -
 
 # verify CSR has been created
 while true; do